For a period of about 18 months, Ransomware dominated the news related to information security. Companies of all sizes and verticals were under attack by cybercriminals that were looking to make a quick buck, or a lot of bucks in some cases. Then, all of the sudden, Ransomware sort of went quiet and we didn’t hear about it as much. There are numerous possible reasons for ransomware going quiet for some time. One popular thought is that these cybercriminals were further developing their malware code to become more effective. The introduction of Ransomware-as-a-Service (RaaS) has further complicated ransomware as cybercriminals buy “older” versions of this malware, “improve” upon it, and then blast it out to everyone. Ransomware is like a game of cat and mouse; cybercriminals create a version that is effective for a short amount of time, the information security world catches on and figures out how to either decrypt the ransomware and unlock the files and our anti-malware systems/email gateways/anti-virus programs identify the malware and mitigate the chances of it getting through to our systems.
Earlier this year, various Ransomware examples began to pop up, especially around the “Locky” ransomware variant, as well as others. There were some changes to the underlying code but nothing substantial according to security researchers. Now there is another new variant of the Locky ransomware that was identified over the past couple of days, and one that we need to be aware of and pay attention to.
This new version of Locky is called IKARUS or Locky Diablo 6 by some security firms. The challenge with this specific Ransomware example is that it evades your machine learning (your spam filters.) The email appears to come from a vendor that you work with and contains an attachment that looks to be a scanned document from a Konica Minolta C224e, which happens to be a very popular business class scanner/printer. So here you have a double whammy: It looks to come from someone legit and it looks to be a scan from a very popular business scanner/printer. The problem is that it is not legit and is a nightmare if you open the attachment.
so what do you do to mitigate your risk of an infection? the good news is that all the same rules apply for this ransomware variant as they did to others:
- Disable Local Admin Privileges – This version of ransomware still requires an executable be run on the local machine. By disabling local admin privileges, users cannot run the executable and therefore cannot install the ransomware.
- Don’t Click on the Attachment (or Link) – If you get an email from a vendor that has an attachment, place a quick call to confirm it is legit. For this ransomware example, the subject line of the email is “Message from KM_C224e” and the body of the email is empty. That should be a glaring red flag not to open the attachment. There is a second variant of the email that contains the same ransomware with the subject line “Status of Invoice A2171771-07.” Note: It is not clear if the invoice number changes yet so be wary of any subject line that begins with “Status of Invoice….” Bottom line, don’t open the attachment unless you verify via phone that it is legit.
- Train and Test Your Employees – Your employees are the last line of defense and can either be your strongest defense mechanism or your weakest link. Train your employees on the latest threats and then test them through phishing campaigns and other social engineering assessments. Use the opportunities for positive growth and education to strengthen your defenses. Plus, isn’t it better if you test them versus a cybercriminal?